Data crunch time


Many companies have been caught off guard by China’s new data laws, forcing them into hasty policy alterations. Helen Gu, general counsel of Weibo’s principal shareholder Sina Group, urges enterprises to take a more proactive approach to data governance


WITH THE GENERATION upon generation upgrading of internet technology, the pace at which data resources are transforming our way of life is quickening, empowering industrial upgrades while lending a hand to a new round of technological revolution.

It is precisely for this reason that the competition among platform enterprises around data rights and interests is heating up. How to effectively manage and use data resources lawfully collected by a platform are crucial issues in urgent need of resolution. This requires all social entities to jointly maintain and promote the improvement and development of enterprise data governance systems so as to give rise to a sound and orderly data element allocation mechanism, and ensure the sustainable and efficient operation of the data market.


The Data Security Law (DSL), the Personal Information Protection Law (PIPL) and a series of complementary measures that have successively entered into effect have set a new roadmap for data governance by Chinese enterprises, providing a governance approach and measures that are in keeping with the new issues and challenges arising in the industry, and also establishing more definite guidelines and rules for the development of the industry.

Helen Gu
General Counsel
Sina Group

The DSL, which entered into effect on 1 June 2021, establishes China’s dual governance logic of “protection + use” of data. It implements the overall national security approach, ensures the status of data as a fundamental strategic resource, and establishes the basic systems of administration of data by type and level, data security reviews, data security risk assessments, monitoring, early warning and emergency response.

It further stresses the equal importance of security and development, regulates data activities while promoting the reasonable and effective use of data in accordance with the law, and provides the regulatory backup for fully leveraging the roles of data as a fundamental resource and an engine of innovation.

The author argues that it is only by correctly understanding the macro purpose of the DSL that enterprises can veritably and effectively put in place data management systems and ensure the lawfulness and compliance of their various market actions.

The PIPL, which entered into effect on 1 November 2021, represents the first set of detailed rules, following the Civil Code, which protect personal information as an important civil right, providing greater specificity and operability in the following four areas:

  • Setting “inform-consent” as the core rule of the protection of personal information. It establishes the validity of a user’s consent on the foundation of full notification by a platform, including “separate consent” and “written consent”, as well as the right to withdraw consent.
  • Emphasising the prohibition on “big data-enabled price discrimination”. It specifies that a personal information processor that uses personal information for automated decision-making is required to ensure the transparency of such decision-making, and the fairness and impartiality of the outcome, and is prohibited from unreasonably treating individuals in a discriminatory manner in terms of transaction price and other such transaction conditions.
  • Requiring strict measures to protect sensitive personal information. It requires that sensitive personal information be processed only if there is a specific purpose and sufficient necessity, if strict protection measures are taken, if the separate consent of the user is secured, and if a prior impact assessment is conducted. Furthermore, the law requires that the individual be fully informed of the necessity of processing such information, and its impact on his or her rights and interests.
  • Strengthening the obligations of personal information processors. A personal information processor is the party with chief responsibility for the protection of personal information, is liable for its personal information processing activities, and is required to take the measures necessary to ensure the security of the personal information that it processes. To that end, this law has a chapter that expressly sets out the obligations of compliant management and ensuring the security of personal information borne by personal information processors.


The new governance vision also places new requirements on the compliance models of enterprises. Enterprises need to deepen their knowledge of the dual positioning of data: (1) data being a fundamental strategic resource of the state, which makes it incumbent upon enterprises to strengthen the importance that they attach to data protection; and (2) data being a key factor of production places greater requirements on enterprises’ data governance, development and utilisation capabilities.

In light of current practice, enterprises mainly face the following three challenges in data governance:

Improving data quality and ensuring data compliance requires global thinking. In the course of data governance, enterprises not only need to enhance their data management technologies and levels, but should also pay attention to the issue of data quality. Data quality almost invariably represents an enterprise’s core competitiveness, with high-quality data being a key factor that permits an enterprise to achieve its strategic objectives in digital competition.

The poorer the quality of the data in the hands of an enterprise, the less accurate and authoritative the judgments it can make based on the data, thereby jeopardising its survival in the data market. Accordingly, how to ensure data quality while efficiently processing vast amounts of
inchoate data is a major new challenge that corporate compliance is required to face.

Data governance model needs to focus on finding a balance between enterprise and individual interests. Data and personal information are inextricably linked, and an enterprise may be both a collector and processor of personal information or, alternatively, a controller and processor of data.

A sound data governance model should serve the objective of erecting a secure, reliable, high-speed and effective digital market operating mechanism.

Accordingly, in the context of the new legislative regime, data governance needs to take into account all entities upstream and downstream in the data industrial chain, and comprehensively consider rights and interests in personal information, and the enterprise’s development and innovation needs.

However, as conflicts between the interests of individuals and enterprises, and between those of enterprise and enterprise, arise quite readily an enterprise, when formulating its data governance model, will set up its co-operation model in light of its own role in the industry chain.

But such a governance approach is incompatible with a stringently regulated market environment. Accordingly, how to balance the relationship between the interests of all parties and one’s own self-development on the basis of a sound understanding of the macro environment is the second challenge that digital enterprises face.

Risks to data security remain as serious as ever. Although every country is beefing up its efforts to protect critical information infrastructure, and enterprises are continually upgrading their network protection mechanisms, hacking technology is likewise developing in lockstep with technological progress such that the risk of data leakage remains as serious as ever.

For example, not long ago Shutterfly, the world’s largest image service company, was threatened to pay a large ransom on pain of disclosure of data stolen by ransomware from it, data that included bank and merchant account information, login credentials and electronic forms for company services and private user information. There is no doubt that a data leak can be life threatening for an enterprise.

However, enhancing data security not only requires improved data encryption technology, but also beefing-up protection at the levels of network security and network infrastructure.

Whether an enterprise has the capacity to formulate relatively rational cross-departmental and co-operative systematic data governance measures, effectively strengthen the linkage and response speed across departments, and upgrade protective technologies in a timely manner to minimise relevant risks is the third challenge that enterprises face.


To meet the above-mentioned data governance challenges, an enterprise not only needs to hone its internal strengths, but also come to grips with the developmental dynamics of the industry. The author puts forward the following three recommendations for the establishment and improvement of enterprise data governance models.

(1) An enterprise can enhance and control the quality of its existing data and improve its current data governance level in light of its actual circumstances and by focusing on resolving its current data governance difficulties. It can strengthen the development of a prior screening mechanism and build an advanced algorithm model for the initial screening and management of data to avoid such problems as data redundancy and information duplication. It can further review data sources to ensure the lawfulness and reliability of such sources. Finally, it can strengthen ex-post oversight and take timely and effective remedial measures to correct data defects.

(2) As an industry consensus, an industry self-regulatory mechanism can be promoted that gives rise to benign interaction with the external mandatory rules of state laws. An enterprise must strictly abide by relevant provisions of laws and regulations, input the data it collects to the data trading platform in a timely, accurate and complete manner, and fully ensure such rights of data rights holders as the right to request deletion of data, the right to opt out, etc.

An enterprise, as a second step, should fully mobilise the proactivity and positivity of data governance, abide by basic ethical norms and industry standards, and strengthen its sense of social responsibility. Finally, it should establish and enhance a set of mechanisms for inter-enterprise and enterprise-user communication to enhance mutual understanding, foster trust mechanisms and maintain a balanced development model.

(3) Network vulnerabilities arise continually and there is no one-size-fits-all measure to prevent them. Accordingly, an enterprise should continually improve data security measures and establish dynamic preventive mechanisms. An enterprise needs to establish a network security prevention mechanism ledger to ensure supply chain security and the cutting-edge nature and applicability of its products and technologies.

It should also establish and improve measures for the protection of data by type and level, establish strict protection mechanisms for core data and key data, and dynamically adjust enterprise data by type and level.

As another step, it should strengthen the identification and tracking of product vulnerabilities and network security vulnerabilities, timely upgrade data protection-related technologies, and enhance the flexibility and stability of preventive measures to ensure the stable operation of its data security assurance mechanisms and their ability to respond to unexpected risks.


With the increasingly extensive integration of information technology and the socio-economy, all kinds of data are growing furiously and pooling in vast quantities, having a major and profound impact on economic development and people’s lives. Data have also become a new engine of economic development and a new link in exchanges and co-operation.

In such an era, enterprises require profound knowledge and keen awareness of the new regulatory framework, and need to formulate effective data governance rules, enhance their data governance capabilities, and actively assume their attendant social responsibilities so as to accelerate their digital development and promote their sustainable development to satisfy the diverse needs of the new era. subscripton ad red 2022